ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/authentik/tasks/authentik.yml

262 lines
6.7 KiB
YAML
Raw Permalink Blame History

---
- name: install certs
copy:
src: "/usr/local/etc/letsencrypt/live/{{ item }}"
dest: "/usr/local/etc/certs/"
owner: root
group: root
mode: 0755
tags:
- letsencrypt-certs
notify: reload nginx
vars:
prediff_cmd: echo
with_items:
- "{{ authentik_login_url }}"
- "{{ domain }}"
- name: make dirs
file:
path: "{{ systemuserlist.authentik.home }}/{{ item }}"
state: directory
mode: 0750
owner: authentik
group: authentik
with_items:
- media
- templates
- geoip
- conf
- backups
- ssh
- certs
- certs/{{ domain }}
- name: make redis dir
file:
path: "{{ systemuserlist.authentik.home }}/redis"
state: directory
- name: postgresql user
postgresql_user:
name: "{{ systemuserlist.authentik.username }}"
password: "{{ systemuserlist.authentik.postgres_passwd }}"
encrypted: true
state: present
become_user: postgres
tags:
- users
- postgresql
- postgresql-users
- name: postgresql database
postgresql_db:
name: "{{ systemuserlist.authentik.username }}"
encoding: UTF8
template: template0
state: present
lc_ctype: "C"
lc_collate: "C"
become_user: postgres
tags:
- users
- postgresql
- postgresql-users
- name: template psql backup script
template:
src: authentik-postgres-backup.sh.j2
dest: /usr/local/bin/authentik-postgres-backup.sh
mode: 0750
owner: authentik
group: authentik
tags:
- backup
- name: cron file
template:
src: authentik-cron.j2
dest: /etc/cron.d/authentik
mode: 0600
owner: root
group: root
tags:
- backup
- cron
- name: template config files
template:
src: "{{ item }}.j2"
dest: "{{ systemuserlist.authentik.home }}/conf/{{ item }}"
mode: 0750
owner: authentik
group: authentik
with_items:
- GeoIP.conf
- env
- default.yml
tags:
- authentik-config
- name: template nginx vhost
template:
src: 01-authentik.conf.j2
dest: /etc/nginx/sites-enabled/01-authentik
owner: root
group: root
mode: 0644
tags:
- nginx
- authentik-nginx
notify: reload nginx
- name: redis container for authentik
docker_container:
name: authentik-redis
image: "redis:latest"
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: started
container_default_behavior: compatibility
env:
REDIS_HOST: authentik-redis
networks_cli_compatible: false
network_mode: bridgewithdns
networks:
- name: bridgewithdns
healthcheck:
interval: 30s
timeout: 60s
start_period: 10s
test: "redis-cli --raw incr ping"
mounts:
- type: bind
source: "{{ systemuserlist.authentik.home }}/redis"
target: /data
tags:
- authentik-container
- docker-containers
- redis
- name: geoip container for authentik
docker_container:
name: authentik-geoip
image: "maxmindinc/geoipupdate:latest"
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: stopped
container_default_behavior: compatibility
user: "{{ systemuserlist.authentik.uid }}:{{ systemuserlist.authentik.gid }}"
mounts:
- type: bind
source: "{{ systemuserlist.authentik.home }}/geoip"
target: "/usr/share/GeoIP"
- type: bind
source: "{{ systemuserlist.authentik.home }}/conf/GeoIP.conf"
target: /etc/GeoIP.conf
env:
GEOIPUPDATE_ACCOUNT_ID: "{{ geoip_account_id }}"
GEOIPUPDATE_LICENSE_KEY: "{{ geoip_license }}"
GEOIPUPDATE_EDITION_IDS: "GeoLite2-City"
GEOIPUPDATE_FREQUENCY: "8"
AUTHENTIK_AUTHENTIK__GEOIP: /geoip/GeoLite2-City.mmdb
networks_cli_compatible: false
network_mode: bridgewithdns
networks:
- name: bridgewithdns
tags:
- authentik-container
- docker-containers
- name: start server container
docker_container:
name: authentik-server
#image: benediktkr/authentik:latest
image: ghcr.io/goauthentik/server:latest
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: started
container_default_behavior: compatibility
user: "{{ systemuserlist.authentik.uid }}:{{ systemuserlist.authentik.gid }}"
networks_cli_compatible: false
network_mode: bridgewithdns
networks:
- name: bridgewithdns
ipv4_address: "{{ bridgewithdns.authentik_server }}"
mounts:
- type: bind
source: "{{ systemuserlist.authentik.home }}/media"
target: "/media"
# - type: bind
# source: "{{ systemuserlist.authentik.home }}/certs"
# target: "/certs"
# read_only: false
- type: bind
source: "{{ systemuserlist.authentik.home }}/templates"
target: "/templates"
#- type: bind
# source: "{{ systemuserlist.authentik.home }}/geoip"
# target: "/geoip"
- type: bind
source: "{{ systemuserlist.authentik.home }}/ssh"
target: "/authentik/.ssh"
#- type: bind
# source: "{{ systemuserlist.authentik.home }}/conf/default.yml"
# target: "/authentik/lib/default.yml"
env_file: "{{ systemuserlist.authentik.home }}/conf/env"
command: server
- name: start worker container
docker_container:
name: authentik-worker
image: ghcr.io/goauthentik/server:latest
#image: benediktkr/authentik:latest
restart_policy: "unless-stopped"
auto_remove: false
detach: true
pull: true
state: started
container_default_behavior: compatibility
user: "{{ systemuserlist.authentik.uid }}:{{ systemuserlist.authentik.gid }}"
networks_cli_compatible: false
network_mode: bridgewithdns
networks:
- name: bridgewithdns
ipv4_address: "{{ bridgewithdns.authentik_worker }}"
mounts:
- type: bind
source: "{{ systemuserlist.authentik.home }}/backups"
target: "/backups"
- type: bind
source: "{{ systemuserlist.authentik.home }}/media"
target: "/media"
- type: bind
source: "{{ systemuserlist.authentik.home }}/certs"
target: "/certs"
read_only: false
- type: bind
source: "{{ systemuserlist.authentik.home }}/templates"
target: "/templates"
#- type: bind
# source: "{{ systemuserlist.authentik.home }}/geoip"
# target: "/geoip"
- type: bind
source: "{{ systemuserlist.authentik.home }}/ssh"
target: "/authentik/.ssh"
#- type: bind
# source: "{{ systemuserlist.authentik.home }}/conf/default.yml"
# target: "/authentik/lib/default.yml"
# - type: bind
# source: /var/run/docker.sock
# target: /var/run/docker.sock
env_file: "{{ systemuserlist.authentik.home }}/conf/env"
command: worker
View Git Blame Copy Permalink